Strange Reaction to Valid Traffic



  • Long time lurker, first time poster…

    I've been configuring my firewall rules, and I'm running into some logs on the firewall that don't make sense.  The source and destination are valid, and the source IP Address traces back to google.  I'm using google HTTPS services, and the destination of my traffic matches this.

    So the question is, why is this being blocked?  Is it a TCP session issue?  Or is google sending me unsolicited traffic just for the fun of it?

    Mike

    ![MithrilHall.toecker.com - Status_ System logs_ Firewall-2016-04-06 19_58_43.png](/public/imported_attachments/1/MithrilHall.toecker.com - Status_ System logs_ Firewall-2016-04-06 19_58_43.png)
    ![MithrilHall.toecker.com - Status_ System logs_ Firewall-2016-04-06 19_58_43.png_thumb](/public/imported_attachments/1/MithrilHall.toecker.com - Status_ System logs_ Firewall-2016-04-06 19_58_43.png_thumb)



  • Looks like typical out of state traffic. Maybe shortly after a reboot, so a connection that was established and lost state from the reboot?


  • Rebel Alliance Global Moderator

    Your going to see that quite a bit on a pfsense reboot or reset of states.. Or just just clients switching connections, like cell phones - they might start a connection via cell and then say switch over to your wifi and and not open up a new session, but just try sending packets to pfsense would be seen as out of state.

    https://doc.pfsense.org/index.php/Why_do_my_logs_show_"blocked"_for_traffic_from_a_legitimate_connection



  • Thanks folks, I appreciate the assistance.  Good to know it's an anticipated artifact, and not something else.  I'm going to reboot the router, isolate the systems involved, and figure out which ones are giving me the heartburn.

    Then, just silently drop crap like this instead of logging it.

    Mike


  • Rebel Alliance Global Moderator

    the firewall is already dropping them..

    if you don't want to log this sort of thing you can turn off default logging and create your own block rules with logging on that log what you want.  for example I use a block rule that just blocks and logs tcp Syn packets.. This way I do not see a lot of udp noise either..  Which is quite a lot on the wan.. Just clutters up my logs if you ask me..

    Still be being blocked with the default rule, just not logged is all.  I just want to see the tcp Syns that are sent to my wan..  Sure alot of boxes looking for ssh and telnet ;)



  • Smart phones cause this to happen a lot.



  • @Harvy66:

    Smart phones cause this to happen a lot.

    Yeah some do when they switch from cellular to wifi, they'll try to use the connections they had established out cell network via the wifi using the new IP (like that could ever work). Though that's the opposite direction, you'll get those blocks on LAN rather than WAN in that case.